Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Refine your search:

How can I use a dashboard form to search an index for multiple single field values space delimited simultaneously, such as usernames and then in my output match them against another field such as phonenumber, address etc?

0

Basically looking to create a table with matching items ie if I search for the following field username in active directory:bob.smith tom.smith etc.

The subsearch will just create a set of events for each user in the text box. Each of those events will just have one field called user. So once Splunk resolves the subsearch, the main search will look more like this (which you can see in the search log):

why do I need a noop? It seems to work as is for me (6.6.x on laptop)...haven't used noop for a bit, but maybe I should start again? Does the subsearch resolve multi value fields like separate events ?

Interesting; when did stats become a generating command? You are correct; though; |noop is no longer necessary. Yes, the subsearch automatically resolves multi-valued fields in the way that you would expect.